prevent empty code challenge and undo refactor

Author: visvk

lib/grant-types/abstract-grant-type.js

@@ -30,7 +30,6 @@ function AbstractGrantType(options) {
   this.model = options.model;
   this.refreshTokenLifetime = options.refreshTokenLifetime;
   this.alwaysIssueNewRefreshToken = options.alwaysIssueNewRefreshToken;
-  this.PKCEEnabled = options.PKCEEnabled;
 }
 
 /**

lib/grant-types/authorization-code-grant-type.js

@@ -92,7 +92,6 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
   }
 
   return promisify(this.model.getAuthorizationCode, 1).call(this.model, request.body.code)
-    .bind(this)
     .then(function(code) {
       if (!code) {
         throw new InvalidGrantError('Invalid grant: authorization code is invalid');
@@ -122,20 +121,15 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
         throw new InvalidGrantError('Invalid grant: `redirect_uri` is not a valid URI');
       }
 
-      if (this.PKCEEnabled && client.isPublic) {
-        if (!code.codeChallenge) {
-          throw new InvalidGrantError('Invalid grant: code challenge is invalid');
-        }
-
-        /**
-         * The "code_challenge_method" is bound to the Authorization Code when
-         * the Authorization Code is issued.  That is the method that the token
-         * endpoint MUST use to verify the "code_verifier".
-        */
+      if (code.codeChallenge) {
         if (!code.codeChallengeMethod) {
           throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallengeMethod` property');
         }
 
+        if (!request.body.code_verifier) {
+          throw new InvalidGrantError('Missing parameter: `code_verifier`');
+        }
+
         if (code.codeChallengeMethod === 'plain' && code.codeChallenge !== request.body.code_verifier) {
           throw new InvalidGrantError('Invalid grant: code verifier is invalid');
         }

lib/handlers/authorize-handler.js

@@ -62,7 +62,6 @@ function AuthorizeHandler(options) {
   this.allowEmptyState = options.allowEmptyState;
   this.authenticateHandler = options.authenticateHandler || new AuthenticateHandler(options);
   this.authorizationCodeLifetime = options.authorizationCodeLifetime;
-  this.PKCEEnabled = options.PKCEEnabled;
   this.model = options.model;
 }
 
@@ -99,17 +98,11 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       var scope;
       var state;
       var ResponseType;
-      var codeChallenge;
-      var codeChallengeMethod;
+      var codeChallenge = this.getCodeChallenge(request);
+      var codeChallengeMethod = codeChallenge && this.getCodeChallengeMethod(request);
 
       return Promise.bind(this)
         .then(function() {
-          codeChallenge = this.getCodeChallenge(request, client);
-
-          if (codeChallenge) {
-            codeChallengeMethod = this.getCodeChallengeMethod(request);
-          }
-
           var requestedScope = this.getScope(request);
 
           return this.validateScope(user, client, requestedScope);
@@ -157,19 +150,15 @@ AuthorizeHandler.prototype.generateAuthorizationCode = function(client, user, sc
   return tokenUtil.generateRandomToken();
 };
 
-AuthorizeHandler.prototype.getCodeChallenge = function(request, client) {
+AuthorizeHandler.prototype.getCodeChallenge = function(request) {
   var codeChallenge = request.body.code_challenge || request.query.code_challenge;
 
-  /** 
-   * If the server requires Proof Key for Code Exchange (PKCE) by OAuth
-   * public clients and the client does not send the "code_challenge" in
-   * the request, the authorization endpoint MUST return the authorization
-   * error response with the "error" value set to "invalid_request".  The
-   * "error_description" or the response of "error_uri" SHOULD explain the
-   * nature of error, e.g., code challenge required.
-  */
-  if (this.PKCEEnabled && client.isPublic && _.isEmpty(codeChallenge)) {
-    throw new InvalidRequestError('Missing parameter: `code_challenge`. Public clients must include a code_challenge');
+  if (!codeChallenge || codeChallenge === '') {
+    return;
+  }
+
+  if (!is.vschar(codeChallenge)) {
+    throw new InvalidRequestError('Invalid parameter: `code_challenge`');
   }
 
   return codeChallenge;
@@ -217,7 +206,6 @@ AuthorizeHandler.prototype.getClient = function(request) {
     throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
   }
   return promisify(this.model.getClient, 2).call(this.model, clientId, null)
-    .bind(this)
     .then(function(client) {
       if (!client) {
         throw new InvalidClientError('Invalid client: client credentials are invalid');
@@ -239,15 +227,6 @@ AuthorizeHandler.prototype.getClient = function(request) {
         throw new InvalidClientError('Invalid client: `redirect_uri` does not match client value');
       }
 
-      if (this.PKCEEnabled) {
-        if (client.isPublic === undefined) {
-          throw new InvalidClientError('Invalid client: missing client `isPublic`');
-        }
-
-        if (typeof client.isPublic !== 'boolean') {
-          throw new InvalidClientError('Invalid client: `isPublic` must be a boolean');
-        }
-      }
       return client;
     });
 };

lib/handlers/token-handler.js

@@ -62,7 +62,6 @@ function TokenHandler(options) {
   this.allowExtendedTokenAttributes = options.allowExtendedTokenAttributes;
   this.requireClientAuthentication = options.requireClientAuthentication || {};
   this.alwaysIssueNewRefreshToken = options.alwaysIssueNewRefreshToken !== false;
-  this.PKCEEnabled = options.PKCEEnabled;
 }
 
 /**
@@ -137,7 +136,6 @@ TokenHandler.prototype.getClient = function(request, response) {
   }
 
   return promisify(this.model.getClient, 2).call(this.model, credentials.clientId, credentials.clientSecret)
-    .bind(this)
     .then(function(client) {
       if (!client) {
         throw new InvalidClientError('Invalid client: client is invalid');
@@ -151,16 +149,6 @@ TokenHandler.prototype.getClient = function(request, response) {
         throw new ServerError('Server error: `grants` must be an array');
       }
 
-      if (this.PKCEEnabled) {
-        if (client.isPublic === undefined) {
-          throw new ServerError('Server error: missing client `isPublic`');
-        }
-
-        if (typeof client.isPublic !== 'boolean') {
-          throw new ServerError('Server error: invalid client, `isPublic` must be a boolean');
-        }
-      }
-
       return client;
     })
     .catch(function(e) {
@@ -239,8 +227,7 @@ TokenHandler.prototype.handleGrantType = function(request, client) {
     accessTokenLifetime: accessTokenLifetime,
     model: this.model,
     refreshTokenLifetime: refreshTokenLifetime,
-    alwaysIssueNewRefreshToken: this.alwaysIssueNewRefreshToken,
-    PKCEenabled: this.PKCEenabled
+    alwaysIssueNewRefreshToken: this.alwaysIssueNewRefreshToken
   };
 
   return new Type(options)

lib/server.js

@@ -51,8 +51,7 @@ OAuth2Server.prototype.authenticate = function(request, response, options, callb
 OAuth2Server.prototype.authorize = function(request, response, options, callback) {
   options = _.assign({
     allowEmptyState: false,
-    authorizationCodeLifetime: 5 * 60,   // 5 minutes.
-    PKCEEnabled: false
+    authorizationCodeLifetime: 5 * 60   // 5 minutes.
   }, this.options, options);
 
   return new AuthorizeHandler(options)
@@ -69,8 +68,7 @@ OAuth2Server.prototype.token = function(request, response, options, callback) {
     accessTokenLifetime: 60 * 60,             // 1 hour.
     refreshTokenLifetime: 60 * 60 * 24 * 14,  // 2 weeks.
     allowExtendedTokenAttributes: false,
-    requireClientAuthentication: {},          // defaults to true for all grant types
-    PKCEEnabled: false
+    requireClientAuthentication: {}           // defaults to true for all grant types
   }, this.options, options);
 
   return new TokenHandler(options)

test/integration/grant-types/authorization-code-grant-type_test.js

@@ -379,7 +379,7 @@ describe('AuthorizationCodeGrantType integration', function() {
         revokeAuthorizationCode: function() {},
         saveToken: function() {}
       };
-      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model, PKCEEnabled: true });
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
       var request = new Request({ body: { code: 12345, code_verifier: 'foo' }, headers: {}, method: {}, query: {} });
 
       return grantType.getAuthorizationCode(request, client)
@@ -405,7 +405,7 @@ describe('AuthorizationCodeGrantType integration', function() {
         revokeAuthorizationCode: function() {},
         saveToken: function() {}
       };
-      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model, PKCEEnabled: true });
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
       var request = new Request({ body: { code: 12345, code_verifier: 'foo' }, headers: {}, method: {}, query: {} });
 
       return grantType.getAuthorizationCode(request, client)
@@ -432,7 +432,7 @@ describe('AuthorizationCodeGrantType integration', function() {
         revokeAuthorizationCode: function() {},
         saveToken: function() {}
       };
-      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model, PKCEEnabled: true });
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
       var request = new Request({ body: { code: 12345, code_verifier: codeVerifier }, headers: {}, method: {}, query: {} });
 
       return grantType.getAuthorizationCode(request, client)
@@ -457,7 +457,7 @@ describe('AuthorizationCodeGrantType integration', function() {
         revokeAuthorizationCode: function() {},
         saveToken: function() {}
       };
-      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model, PKCEEnabled: true });
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
       var request = new Request({ body: { code: 12345, code_verifier: 'baz' }, headers: {}, method: {}, query: {} });
 
       return grantType.getAuthorizationCode(request, client)

test/integration/handlers/authorize-handler_test.js

@@ -783,44 +783,6 @@ describe('AuthorizeHandler integration', function() {
           e.message.should.equal('Invalid client: `redirect_uri` does not match client value');
         });
     });
-    describe('with PKCEEnabled', function() {
-      it('should throw an error if `client.isPublic` is missing`', function() {
-        var model = {
-          getAccessToken: function() {},
-          getClient: function() {
-            return { grants: ['authorization_code'], redirectUris: ['https://example.com'] };
-          },
-          saveAuthorizationCode: function() {}
-        };
-        var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model, PKCEEnabled: true });
-        var request = new Request({ body: { client_id: 12345, response_type: 'code', redirect_uri: 'https://example.com' }, headers: {}, method: {}, query: {} });
-
-        return handler.getClient(request)
-          .then(should.fail)
-          .catch(function(e) {
-            e.should.be.an.instanceOf(InvalidClientError);
-            e.message.should.equal('Invalid client: missing client `isPublic`');
-          });
-      });
-      it('should throw an error if `client.isPublic` is invalid`', function() {
-        var model = {
-          getAccessToken: function() {},
-          getClient: function() {
-            return { grants: ['authorization_code'], redirectUris: ['https://example.com'], isPublic: 'foo' };
-          },
-          saveAuthorizationCode: function() {}
-        };
-        var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model, PKCEEnabled: true });
-        var request = new Request({ body: { client_id: 12345, response_type: 'code', redirect_uri: 'https://example.com' }, headers: {}, method: {}, query: {} });
-
-        return handler.getClient(request)
-          .then(should.fail)
-          .catch(function(e) {
-            e.should.be.an.instanceOf(InvalidClientError);
-            e.message.should.equal('Invalid client: `isPublic` must be a boolean');
-          });
-      });
-    });
 
     it('should support promises', function() {
       var model = {

test/integration/handlers/token-handler_test.js

@@ -114,16 +114,6 @@ describe('TokenHandler integration', function() {
       handler.alwaysIssueNewRefreshToken.should.equal(true);
     });
 
-    it('should set the `PKCEEnabled` to true', function() {
-      var model = {
-        getClient: function() {},
-        saveToken: function() {}
-      };
-      var handler = new TokenHandler({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 120, PKCEEnabled: true });
-
-      handler.PKCEEnabled.should.equal(true);
-    });
-
     it('should set the `extendedGrantTypes`', function() {
       var extendedGrantTypes = { foo: 'bar' };
       var model = {
@@ -595,59 +585,6 @@ describe('TokenHandler integration', function() {
           .catch(should.fail);
       });
     });
-    describe('with PKCE enabled', function() {
-      it('should return a client with `isPublic` parameter', function() {
-        var client = { id: 12345, grants: [], isPublic: true };
-        var model = {
-          getClient: function() { return client; },
-          saveToken: function() {}
-        };
-
-        var handler = new TokenHandler({
-          accessTokenLifetime: 120,
-          model: model,
-          refreshTokenLifetime: 120,
-          PKCEEnabled: true
-        });
-        var request = new Request({ body: { client_id: 'foo', client_secret: 'baz', grant_type: 'authorization_code' }, headers: {}, method: {}, query: {} });
-
-        return handler.getClient(request)
-          .then(function(data) {
-            data.should.equal(client);
-          })
-          .catch(should.fail);
-      });
-      it('should throw an error if `client.isPublic` is invalid', function() {
-        var model = {
-          getClient: function() { return { id: 123, grants: [], isPublic: 'foo' }; },
-          saveToken: function() {}
-        };
-        var handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120, PKCEEnabled: true });
-        var request = new Request({ body: { client_id: 12345, client_secret: 'secret' }, headers: {}, method: {}, query: {} });
-
-        return handler.getClient(request)
-          .then(should.fail)
-          .catch(function(e) {
-            e.should.be.an.instanceOf(ServerError);
-            e.message.should.equal('Server error: invalid client, `isPublic` must be a boolean');
-          });
-      });
-      it('should throw an error if `client.isPublic` is missing', function() {
-        var model = {
-          getClient: function() { return { id: 123, grants: [] }; },
-          saveToken: function() {}
-        };
-        var handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120, PKCEEnabled: true });
-        var request = new Request({ body: { client_id: 12345, client_secret: 'secret' }, headers: {}, method: {}, query: {} });
-
-        return handler.getClient(request)
-          .then(should.fail)
-          .catch(function(e) {
-            e.should.be.an.instanceOf(ServerError);
-            e.message.should.equal('Server error: missing client `isPublic`');
-          });
-      });
-    });
 
     it('should support promises', function() {
       var model = {